Does your organisation have cyber insurance?

I am going to be bold here and speculate that the percentage of Australian businesses that currently have cyber insurance is very low, as from the many conversations that I have had over the last few months it has become obvious that many businesses don’t see the urgency or need for cyber insurance. Some just don’t understand what it really is for and why they need to have it.

With that in mind, I have decided to create this article to try and help readers of CSO and organisations from small businesses to enterprise organisations understand why they need cyber insurance. Let’s start at the beginning and outline a few statistics to indicate the cybersecurity problem as it exists in Australia and then I will outline what benefits cyber insurance can bring to your organisation. That way you can better make a decision on what cyber insurance packages are best suited for your organisation.

Without making this article a fear mongering exercise to terrify all business owners and readers, let's just look at some events that have occurred over the last year:

Both Cadbury and TNT were both brought to a halt in June 2017 from a ransomware infection, with TNT appearing to be have been the most severely affected in Australia (at least from what has been made public anyway) with their parent company FedEx providing an indicative loss of $374 million from the incident. It was also indicated that several systems as of late 2017 were still not restored and could be permanently lost. They had also indicated that operations had to be manually handled during the several months following the recovery with some processes still being handled manually due to some system never being fully restored.

In October 2017, personal information of 5,000 Australian public servants of the Department of Finance, the Australian Electoral Commission and National Disability Insurance Agency were publicly accessible because of a cloud services misconfiguration. There was also almost 50,000 private sector employee’s personal information, which had been insecurely stored on an Amazon cloud storage service (just one of several worldwide over the last few months) and was easily accessible by anyone. This breach was caused by a private contractor who works with both government agencies and the private sector.

On May 23rd 2018, PageUp a hiring/recruitment software solutions provider detected some unusual activity on its IT systems and publicly announced on the June 5th 2018 of a possible breach. PageUp released the statement as required by the new data breach notification laws that had been introduced in February 2018. Will PageUp ever recover from this breach? Possibly not due to the damage that it has suffered to its reputation and likely financial hardship it will face trying to rebuild that faith in its customers.

These are just three of possibly hundreds of breaches that have occurred over the last year in Australia and it is hard to get an exact figure due to the mandatory notification laws only coming into effect in February. The reality is that cybercrime is estimated to cost Australian businesses of all sizes around $4.5 billion dollars every year with evidence that this trend will only get worse as we become more and more reliant on data and our electronic devices for both personal/business use, not to mention that (almost) everything is interconnected via IOT.

So what can you do about reducing your organisation's risks?

Some of these items are as simple as ensuring that you have an adequate set of policies/procedures in place, have your systems tested by a security professional and train your staff to recognise phishing and scam emails. All the above will help ensure that your systems are as secure as they can be and you are prepared to respond to an incident quickly and effectively when it happens - but what about the monetary costs involved with a breach?

The initial costs to a business from a security breach are easy to pin point, for example:

Time lost to the organisation from staff not being able to do their job, to labour costs for IT/security specialists to come in and recover your systems.

Loss of income from not being able to access encrypted data for all outstanding invoices in which you don’t have a physical printed copy. Some organisations will still pay but you don’t know what they owe or if what they are saying is true when they say they don’t have any outstanding invoices at all.

Cost of new equipment and tools/software required to remediate or prevent a secondary incident occurring (it is always more expensive to secure systems after a breach than before an incident occurs).

What does cyber insurance cover?

Although policies will vary between insurers, a typical cyber insurance policy is designed to help you with both preventing breaches in the first place and dealing with them if and when they occur.

Cyber insurance policies usually include the following:

The cost of restoring or recreating electronic data following a breach or leak

Forensic services to investigate a breach

PR coaching in the event a breach harms your business’s reputation

Assistance guarding against data breaches, hacking and employee error

Guidance on how to respond to a breach

Funds to cover the adverse financial effects related to a breach

Funds to cover any fines that might be payable following a breach

Now you have the knowledge on why you should consider cyber insurance and what the policy will generally cover. It is very important that you clearly go through all of your options and understand any items that are covered and situations/items that are not covered under the policy as all policies are not equal. So do your organisation a favour and look into cyber insurance, so that when a breach occurs your organisation has the support it needs to survive. You will thank me later.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.